# Migrate from depscan v5 to v6

Use this document as a reference to migrate your depscan v5 workflows to v6.

## CLI arguments (BREAKING)

- `-o` is now an alias for `--reports-dir`. This is the output directory to store the reports.
- All `threatdb` related arguments and submit bom functionality are removed.
- `--cache`, `--sync`, `--no-error`, `--no-license-scan` arguments are removed.
- `--bom-engine` argument defaults to `auto`. In environments where the `docker` command is available, depscan automatically chooses a container-image–based SBOM generation. Pass `--bom-engine CdxgenGenerator` to force depscan to use the local cdxgen CLI.
- `--vulnerability-analyzer` argument defaults to auto. Depending on the `--bom-dir` argument, depscan will either perform a lifecycle-based vulnerability analysis or the standard VDR analysis (similar to depscan v5).
- By default, only PURL-based searches are performed. As a result, depscan v6 yields fewer but more accurate results compared to v5. To perform a fuzzy search by generating variations of package names, use the --fuzzy-search argument. This is recommended when the input SBOM lacks a PURL.
- `--reachables-slices-file` argument is removed.

## Packages/Dependencies changes

- `quart` package is an optional dependency in v6. To use the server mode, do `pip install owasp-depscan[all]`.
- `oras` is an required dependency via `appthreat-vulnerability-db[oras]` and `blint`.

## Build and packaging

- dep-scan repo uses `uv` for building and packaging.
- The `scan` command alias has been removed. Use the `depscan` command to invoke the CLI.

## Reports

- `.vdr.json` file is now correctly created in the reports directory. In v5, depscan used to create bom.json directly in the input directory when using the `appsec` or `research` profile. This workaround has been completely removed in v6.
- BOMs created by depscan now use the new `.cdx.json` extension with the sbom-project_type prefix. Example: sbom-java.cdx.json, sbom-docker.cdx.json.
- When invoked with the --bom-dir argument containing multiple BOM files or when using the new lifecycle analyzer, a single VDR file named `depscan-universal.vdr.json` is created under the reports directory.
- The JSON Lines file `depscan.json` is no longer created.
- PDF reports based on Rich HTML reports are no longer available. Use the browser print functionality in the HTML report to export to PDF.

## Remote audit

In v6, remote audit (e.g., for the nodejs project type) is disabled by default. To include remote audit results, invoke depscan with `--risk-audit` or set the environment variable `ENABLE_OSS_RISK=true`.

## Server mode

Server-related functionality has been extracted to a separate project called `ds-server-lib` and is now optional.

- The `/download-vdb` endpoint is no longer available to remove oras as a dependency for the server lib.
